Detection rules › Sublime MQL
Service abuse: Google application integration redirecting to suspicious hosts
Detects legitimate Google application integration emails that contain links redirecting to free file hosting services or free subdomain hosts, including Microsoft OAuth redirects to suspicious domains. These could indicate abuse of Google's legitimate service for malicious redirects.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, Malware/Ransomware |
| Tactics and techniques | Evasion, Free file host, Free subdomain host, Open redirect |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
and sender.email.email == "noreply-application-integration@google.com"
and headers.auth_summary.dmarc.pass
and length(body.links) < 10
and any(body.links,
.href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_subdomain_hosts
// Mimecast link logic
or (
.href_url.domain.root_domain in (
"mimecastprotect.com",
"mimecast.com"
)
and any(.href_url.query_params_decoded['domain'],
strings.parse_domain(.).domain in $free_file_hosts
or strings.parse_domain(.).root_domain in $free_file_hosts
or strings.parse_domain(.).root_domain in $free_subdomain_hosts
or . in (
"storage.cloud.google.com",
"login.microsoftonline.com"
)
)
)
or network.whois(.href_url.domain).days_old < 30
// abuse observed
or .href_url.domain.root_domain == "share.google"
)
Detection logic
Scope: inbound message.
Detects legitimate Google application integration emails that contain links redirecting to free file hosting services or free subdomain hosts, including Microsoft OAuth redirects to suspicious domains. These could indicate abuse of Google's legitimate service for malicious redirects.
- inbound message
- sender.email.email is 'noreply-application-integration@google.com'
- headers.auth_summary.dmarc.pass
- length(body.links) < 10
any of
body.linkswhere any holds:- .href_url.domain.domain in $free_file_hosts
- .href_url.domain.root_domain in $free_file_hosts
- .href_url.domain.domain in $free_subdomain_hosts
all of:
- .href_url.domain.root_domain in ('mimecastprotect.com', 'mimecast.com')
any of
.href_url.query_params_decoded['domain']where any holds:- strings.parse_domain(.).domain in $free_file_hosts
- strings.parse_domain(.).root_domain in $free_file_hosts
- strings.parse_domain(.).root_domain in $free_subdomain_hosts
- . in ('storage.cloud.google.com', 'login.microsoftonline.com')
- network.whois(.href_url.domain).days_old < 30
- .href_url.domain.root_domain is 'share.google'
Inspects: body.links, body.links[].href_url.domain, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.query_params_decoded['domain'], headers.auth_summary.dmarc.pass, sender.email.email, type.inbound. Sensors: network.whois, strings.parse_domain. Reference lists: $free_file_hosts, $free_subdomain_hosts.
Indicators matched (6)
| Field | Match | Value |
|---|---|---|
sender.email.email | equals | noreply-application-integration@google.com |
body.links[].href_url.domain.root_domain | member | mimecastprotect.com |
body.links[].href_url.domain.root_domain | member | mimecast.com |
body.links[].href_url.query_params_decoded['domain'][] | member | storage.cloud.google.com |
body.links[].href_url.query_params_decoded['domain'][] | member | login.microsoftonline.com |
body.links[].href_url.domain.root_domain | equals | share.google |